#2465 [RFE] Move IPA content from /usr/share/ipa to instance-specific place in /var/lib/ipa
Opened 12 years ago by abbra. Modified 3 years ago

Upcoming planned changes in FHS (file system layout) simplification imply that /usr could become read-only and writable only during RPM operations like install/uninstall/upgrade. We have jar file with browser config generated and signed during the IPA server install. The file is then placed in /usr/share/ipa. This will not work with read-only /usr in Fedora18 or 19.

We need to treat /usr/share/ipa as a template/model content and set up instance-specific version of the files in /var/lib/ipa/ipa-<REALM>. This would be compatible with future FHS changes and also would allow co-existence of multiple IPA instances in future.


Is this going to be an issue any more after we switch to the plugin based solution?
Seems like by addressing https://fedorahosted.org/freeipa/ticket/3094 we solve the problem.
Putting into NEEDS_TRIAGE to discuss and close.

Replying to [comment:4 dpal]:

Is this going to be an issue any more after we switch to the plugin based solution?
Seems like by addressing https://fedorahosted.org/freeipa/ticket/3094 we solve the problem.
Putting into NEEDS_TRIAGE to discuss and close.

The JAR file is still being generated and used with old browsers which cannot use the new FF plugin. I think there are also other files generated during ipa-server-install, i.e. we need to move the directory.

Changing 3.2 priority

Metadata Update from @abbra:
- Issue assigned to rcritten
- Issue set to the milestone: Future Releases

7 years ago

The linked BZ reports that a number of files (as of IPA 4.5) are still written to /usr during install:

/usr/share/ipa/html/ca.crt
/usr/share/ipa/html/configure.jar
/usr/share/ipa/html/kerberosauth.xpi
/usr/share/ipa/html/krb5.ini
/usr/share/ipa/html/krb.con
/usr/share/ipa/html/krb.js
/usr/share/ipa/html/krbrealm.con
/usr/share/ipa/html/preferences.html

Metadata Update from @rcritten:
- Issue close_status updated to: None

5 years ago

With 4.8 the installer creates

/usr/share/ipa/html/ca.crt
/usr/share/ipa/html/krb5.ini
/usr/share/ipa/html/krb.con
/usr/share/ipa/html/krbrealm.con

We should consider dropping creation of krb5.ini, krb.con and krbrealm.con. These were added to support the MIT Kerberos client in Windows.

That would leave ca.crt as well as the two symlinks ssbrowser.html -> ../../../../etc/ipa/html/ssbrowser.html and unauthorized.html -> ../../../../etc/ipa/html/unauthorized.html.

I'm puzzled about the HTML files. The appear to be static (no realm/domain specific data) but are stored in /etc/ipa/html.

IIRC the files were moved to /etc specifically for the read-only /usr reason.

Honestly, ca.crt should probably be a symlink as well otherwise it's possible for it to get out-of-sync with /etc/ipa/ca.crt.

Symlinking ca.crt sounds like a good idea.

Login to comment on this ticket.

Metadata